I'm polling the group. For those of you who still use PSKs (and not RADIUS or 802.1X, for example) for Wi-Fi connections, I am curious about your discipline for handling the PSKs. Are there ever times or moments where you provide PSKs to the users, or do you insist on inputting them into the device's wireless profile, so that users have no need to handle them?
My previous company maintained two wifi connections, one for employees to log into the corporate network using 2-factor (RSA) authentication, and the other a guest network that connected only to the Internet, with no internal corporate access. The guest network password was changed weekly, and give freely to visitors.
Given that even the most basic home wifi routers now have a Guest mode in addition to full internal network, why would any corporation have only their internal wifi available?
Thanks for your reply. You've correctly assumed that a guest network should be (or is already) in place. I'm solely asking how an IT staff handles an in situ corporate Wi-Fi system if a corporately-issued device requires reconnection after issue.
If we used your example, by the way, the computer could associate to the guest Wi-Fi access, then could be remotely administered by the IT team and the corporate WPA2 profile be repaired for permanent use.
Or I could ask my question differently: do any readers ever have a compulsion or need to hand out the PSK for a corporate network -- at all?
Eric @ericgeater after reading your reply I re-read the original post. This time I realized what you meant with "or do you insist on inputting them into the device's wireless profile, so that users have no need to handle them?"
That procedure seems inappropriate because someone with access to the device might be able to get into both it and the network by cracking only the device access process. Solid authentication into the device and separate authentication into teh network seems like a better plan
We have a third wifi network for devices that can not handle WPA2, such as warehouse scan guns. For this, we hand out a pre-shared key and also white-list the device MAC address.
Maybe I'm misunderstanding you.
Before a technician provides a computer to an employee, they typically configure Wi-Fi on the employee's behalf for the corporate network. They input the SSID, insert the corporate pre-shared key, then save this into the employee's profile. That way the employee should always connect to the corporate network when in the office.
If, for some reason, a computer "forgets" the corporate PSK, we typically do not hand it out for the employee to put back in on their own. We'll give them the guest account SSID and PSK, then remotely control their computer and replace the corporate SSID and PSK. We never communicate the actual PSK to the users.
I would prefer to never tell the users the pre-shared key, because they have no reason to possess it. We never hand out the administrator password, so I'm curious if there are any cases when it's okay to provide an employee the PSK.
I know this is a targeted question, and I thank you for putting up with it.